Splunk Search

dashboards with similiar data, but different timeframes

a212830
Champion

Hi,

I have a customer who created a dashboard with 28 unique searches. (Using Splunk 6.1.1). It's some cool stuff, but, that's nuts. A lot of the searches are simply different timeframes - one day in one chart, and 1 month in the other. Any suggestions on how to prevent 28 unique searches?

0 Karma

somesoni2
Revered Legend

Easiest option would be to create a saved search for the each unique search. Then in dashboard call the saved search with different time range.
e.g.

<dashboard>
  <label>Splunk Home</label>
  <description/>
  <row>
    <single>
      <title>Last 15 Minute</title>
      <searchString>|savedsearch splunk_internal_count</searchString>
      <earliestTime>-15m</earliestTime>
      <latestTime>now</latestTime>
    </single>
  </row>
  <row>
    <single>
      <title>Last 30 Minutes</title>
      <searchString>|savedsearch splunk_internal_count</searchString>
      <earliestTime>-30m@m</earliestTime>
      <latestTime>now</latestTime>
    </single>
  </row>
</dashboard>
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

As an alternative or addition to post processing, you could accelerate, summarize, or schedule historic searches like the thirty day one because that's doing a lot of things over and over again without changes to the data.

Take schedule as an example, you could have the search run over -30d@d to @d every night at 1 AM and everyone loading the dashboard that day gets the canned results from 1 AM.

0 Karma

somesoni2
Revered Legend

That would be the best solution for these kind of situations. It may require search/postprocess search formation based on the requirements. Some reading can be done from here.

http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/PanelreferenceforSimplifiedXML

0 Karma

a212830
Champion

Thanks. That still seems like a lot of unnecessary over-lap. I recall the term "post-processor" for dashboards. Would that be appropriate? If so, can someone point me to links on how to do it?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...